Governance & Risk Management , HIPAA/HITECH , Privacy
OCR's New Top HIPAA Enforcer DepartsWhat Will Be the Impact of Iliana Peters' Exit?
Iliana Peters has left the Department of Health and Human Services' Office for Civil Rights just months after she was named to replace the agency's former top HIPAA enforcer, Deven McGraw, as acting deputy director for health information privacy.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Peters on Feb. 5 joined the Washington office of the law firm Polsinelli as a shareholder and an attorney in its healthcare operations practice. Her last day at OCR was Feb. 2.
Peters tells Information Security Media Group that her departure from OCR - only months after the departure of McGraw - shouldn't be interpreted as another sign of a brain drain at the agency or an indicator that OCR is changing course on its enforcement activities.
Despite the departure of McGraw in November to join Silicon Valley start-up health technology firm Ciitizen and Peters' exit after about 12 years at the agency - including a long stint as the senior adviser for HIPAA compliance and enforcement - "the career staff at OCR hasn't changed much" lately, Peters says. Neither has the agency's HIPAA enforcement focus, she contends. "Enforcement is in a good place at OCR."
In addition to OCR's Washington headquarters staff, "the regional staff is terrific," she says. "They really know these cases and how they should be handled, moved forward. OCR continues enforcing HIPAA, [including] publishing guidance."
But privacy attorney Kirk Nahra of the law firm Wiley Rein, a regulatory expert, says Peters' departure raises concerns. "Her departure is a significant loss for an office that has already had a substantial leadership depletion," he says.
Commenting on her new job, Peters says she will continue to work on matters pertaining to privacy, security, HIPAA and the Genetic Information Nondiscrimination Act. "I've spent so many years in enforcement - I'll be on the other side, working with entities," including organizations dealing with privacy and security issues, she says. "I'm eager to be on the other side to help," she says.
In her new role, Peters will be working with two other former OCR colleagues who left the agency several years ago, she notes.
In a statement provided to ISMG, OCR confirms that Tim Noonan has been named the new acting deputy director for health information privacy. Prior to this appointment, Noonan was OCR's southeast regional manager for the past four years, and more recently was serving as the acting associate deputy director for regional operations and the acting director for centralized case management operations in OCR's headquarters.
"Tim brings a wealth of knowledge and experience to this position having developed the southeast region's health information privacy outreach and enforcement program, and collaborating with OCR's HIP team in his multiple positions over the years," the statement says.
Peters notes that OCR has been busy with enforcement work, including recently issued guidance related to the 21st Century Cures Act, as well as two recent multimillion-dollar HIPAA settlements.
Those settlements include a $3.5 million agreement with Waltham, Mass.-based Fresenius Medical Care North America in late January in a case involving five smaller breaches. And in December, a federal bankruptcy court approved a $2.3 million settlement between OCR and bankrupt cancer care clinic chain, 21st Century Oncology pertaining to a 2015 cyberattack that impacted 2.2 million individuals. The payment was to be made by 21st Century Oncology's cyber insurer, Beazley Group.
Both of those settlements related to breaches reported to OCR several years ago. But Peters stresses that OCR has a pipeline of other active investigations, and she notes that cases that are considered for enforcement action take many years to develop.
OCR chooses such cases carefully, she says. "HHS is risk-averse. Every case OCR takes to settlement was also considered [as a] civil monetary penalty case. It takes years for OCR [to collect] evidence to bring to an [HHS] administrative law judge" to pursue a HIPAA enforcement case, she says.
Peters admits, however, that like many other federal agencies, including other HHS divisions, OCR's resources are stretched. For instance, the 21st Century Cures Act signed into law in late 2016 "asked OCR to do a lot," but budget appropriations haven't been approved for the agency to work on certain provisions, she acknowledges.
Peters notes that OCR Director Roger Severino, like many of his predecessors, including the Obama administration's Jocelyn Samuels and Leon Rodriguez, came to the agency as an attorney with civil rights expertise, but not a background in HIPAA.
"As with any administration or change, a new director need time to get up to speed," she says.
Impact of Departure
Although Peters contends that OCR isn't in the midst of a HIPAA expert exodus, Nahra, the privacy attorney, says her exit will, nevertheless, sting the agency.
"While there is very qualified and experienced staff still there, it is not at all clear where the leadership on HIPAA issues will be coming from, Nahra says. "The new director [Severino] does not have significant HIPAA experience - neither did his predecessor - but he also seems focused on other non-HIPAA activities in the office."
Transition is normal in a new administration, Nahra acknowledges. "But this is now both past the typical transition period and showing more signs of potential disarray or, at a minimum, a leadership vacuum. OCR has often been a model enforcement agency - good for both consumers/patients and the regulated industry, which is very rare - but its direction at this point is very unclear. "
Still, healthcare entities shouldn't read the recent shakeup in HIPAA leadership at OCR as an invitation to slack off on their duties to protect patient data, Nahra warns.
"For covered entities and business associates, this leadership vacuum - even if it means less enforcement in the short term - should not be taken as an excuse to ignore HIPAA," he says.
"OCR enforcement - even at its most aggressive - always has lagged behind many other consequences of bad privacy and security activities - lawsuits, state enforcement, business problems and bad publicity," he says. "Companies may need to be even more vigilant in their activities since these other risks are growing and typically have an impact more quickly than OCR enforcement."
Team Still in Place
Privacy attorney David Holtzman - a former OCR senior adviser who is now vice president of compliance at security consultancy CynergisTek, says Peters will be missed by OCR both for her "institutional memory and her leadership" of the health information privacy division.
But despite Peters departure from OCR headquarters Holtzman says, "it is important to remember that much of the decision making and investigative work for enforcement of the HIPAA rules is led by OCR's regional offices. And, there is a team of career professionals in place that are passionate in their work to ensure the HIPAA rules continue to provide meaningful protections for consumers and to pursue appropriate enforcement actions when there is evidence that an organization is not in compliance."
Peters' successor, Noonan, has been with OCR for more than five years, and previously served in the Department of Education, Office of Civil Rights, Holtzman notes.
In the meantime, Holtzman warns against "draw parallels" between the departure of McGraw and Peters.
"Keep in mind that both were in civil service positions and that the selection and work of these professionals are insulated from the winds of political change," he notes. "Perhaps the perception 'brain drain' from OCR is because the health information privacy team has an outsize role in policy and enforcement because of the small size of the group as well as the influence they wield through the respect they garner in the healthcare industry."